willallves · willallves · Oct 25, 2022 · Oct 26, 2022 · Oct 26, 2022 · Oct 26, 2022
diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml
@@ -1,14 +1,15 @@
 name: 'Dependency Review'
 on: [pull_request]
 
-permissions:
-  contents: read
-
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v2
+        uses: actions/dependency-review-action@v3
diff --git a/.github/workflows/nightly_build.yaml b/.github/workflows/nightly_build.yaml
@@ -4,13 +4,18 @@ on:
     # Random minute number to avoid GH scheduler stampede
     - cron: '37 21 * * *'
   workflow_dispatch: {}
-permissions:
-  contents: read
-  packages: write
+
+env:
+  NIGHTLY: true
 
 jobs:
   build-and-publish-images:
     runs-on: ubuntu-20.04
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -31,4 +36,4 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Push images
-        run: ./.github/workflows/scripts/push-scratch-images.sh nightly
+        run: ./.github/workflows/scripts/push-images.sh nightly -scratch
diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml
@@ -3,14 +3,18 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 env:
-  GO_VERSION: 1.19.2
+  GO_VERSION: 1.19.4
 permissions:
   contents: read
 
 jobs:
   cache-deps:
     name: cache-deps (linux)
     runs-on: ubuntu-20.04
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -30,6 +34,10 @@ jobs:
     name: lint (linux)
     runs-on: ubuntu-20.04
     needs: cache-deps
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -64,6 +72,10 @@ jobs:
         OS: [ubuntu-20.04, macos-latest]
     runs-on: ${{ matrix.OS }}
     needs: cache-deps
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -83,6 +95,10 @@ jobs:
     name: unit-test (linux with race detection)
     runs-on: ubuntu-20.04
     needs: cache-deps
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -102,6 +118,10 @@ jobs:
     name: artifacts (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -133,6 +153,10 @@ jobs:
     name: images (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -166,6 +190,10 @@ jobs:
     name: images (windows)
     runs-on: windows-2022
     needs: artifact-windows
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -189,6 +217,10 @@ jobs:
   scratch-images:
     runs-on: ubuntu-20.04
     needs: [cache-deps]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -222,6 +254,10 @@ jobs:
     name: integration (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps, images, scratch-images]
+
+    permissions:
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
@@ -278,8 +314,10 @@ jobs:
     name: integration (windows)
     runs-on: windows-2022
     needs: images-windows
-    strategy:
-      fail-fast: false
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -327,6 +365,10 @@ jobs:
   cache-deps-windows:
     name: cache-deps (windows)
     runs-on: windows-2022
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -346,6 +388,10 @@ jobs:
     name: lint (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -379,7 +425,7 @@ jobs:
             mingw-w64-x86_64-toolchain
             unzip
       - name: Lint
-        run: make lint
+        run: make lint-code
       - name: Tidy check
         run: make tidy-check
       - name: Generate check
@@ -389,6 +435,10 @@ jobs:
     name: unit-test (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -421,6 +471,10 @@ jobs:
     name: artifact (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}